source: mod_gnutls/test/Makefile.am @ be2ad50

asyncio
Last change on this file since be2ad50 was be2ad50, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Create untrusted, but otherwise good certificate for validation test

The previous "imposter" certificate would've already failed the
hostname check. It's still used in SNI tests, to be replaced with a
better fitting certificate later.

  • Property mode set to 100644
File size: 13.5 KB
Line 
1SUBDIRS = tests
2
3VALGRIND_SUPPRESS = suppressions.valgrind
4EXTRA_DIST = $(VALGRIND_SUPPRESS)
5
6if ENABLE_VALGRIND
7valgrind = --valgrind \
8        $(foreach supp,$(VALGRIND_SUPPRESS),--valgrind-suppressions "$(srcdir)/$(supp)")
9else
10valgrind =
11endif
12
13# Generate the test scripts
14test-%.bash: test-template.bash.in | tests/%/
15        testname="$(*)"; \
16        sed -e s/_NUM_/$${testname%%_*}/ -e 's,_VALGRIND_,$(valgrind),' < $< > $@
17        chmod a+x $@
18
19test_scripts = test-00_basic.bash \
20        test-01_priorities_config.bash \
21        test-02_cache_in_vhost.bash \
22        test-03_cachetimeout_in_vhost.bash \
23        test-04_basic_nosni.bash \
24        test-06_verify_sni_a.bash \
25        test-07_verify_sni_b.bash \
26        test-08_verify_no_sni_fallback_to_first_vhost.bash \
27        test-09_verify_no_sni_fails_with_wrong_order.bash \
28        test-10_client_verification.bash \
29        test-12_cgi_variables.bash \
30        test-14_resume_session.bash \
31        test-15_basic_msva.bash \
32        test-16_view-status.bash \
33        test-17_cgi_vars_large_cert.bash \
34        test-19_TLS_reverse_proxy.bash \
35        test-20_TLS_reverse_proxy_client_auth.bash \
36        test-21_TLS_reverse_proxy_wrong_cert.bash \
37        test-22_TLS_reverse_proxy_crl_revoke.bash \
38        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
39        test-24_pkcs11_cert.bash \
40        test-26_redirect_HTTP_to_HTTPS.bash \
41        test-27_OCSP_server.bash \
42        test-28_HTTP2_support.bash \
43        test-29_force_handshake_vhost.bash \
44        test-30_ip_based_vhosts.bash \
45        test-31_vhost_SNI_serveralias_match.bash \
46        test-32_vhost_SNI_serveralias_mismatch.bash \
47        test-33_vhost_SNI_serveralias_missinghost.bash \
48        test-34_TLS_reverse_proxy_h2.bash \
49        test-35_client_reauth.bash \
50        test-36_OCSP_server_nonce.bash \
51        test-37_TLS_reverse_proxy_resume_session.bash
52
53MOSTLYCLEANFILES = $(test_scripts)
54dist_check_SCRIPTS = netns_py.bash test-template.bash.in
55
56TEST_EXTENSIONS = .bash .py
57PY_LOG_COMPILER = $(PYTHON)
58TESTS = doctest-mgstest.py $(test_scripts)
59
60check_PROGRAMS = pgpcrc
61pgpcrc_SOURCES = pgpcrc.c
62
63# build OCSP database tool
64if ENABLE_OCSP_TEST
65check_PROGRAMS += gen_ocsp_index
66gen_ocsp_index_SOURCES = gen_ocsp_index.c cert_helper.c
67gen_ocsp_index_CFLAGS = $(LIBGNUTLS_CFLAGS)
68gen_ocsp_index_LDFLAGS = $(LIBGNUTLS_LIBS)
69noinst_HEADERS = cert_helper.h
70endif
71
72# Python tools for tests
73noinst_PYTHON = https-test-client.py mgstest/http.py mgstest/__init__.py \
74        mgstest/hooks.py mgstest/ocsp.py mgstest/services.py \
75        mgstest/softhsm.py mgstest/tests.py mgstest/valgrind.py runtest.py \
76        softhsm-init.py doctest-mgstest.py required-modules.py data/ocsp.py \
77        check_test_ips.py
78
79# Identities in the miniature CA, server, and client environment for
80# the test suite
81shared_identities = authority authority/client
82pgp_identities = $(shared_identities)
83x509_only_identities = authority/server authority/imposter \
84        authority/subca authority/subca/server \
85        rogueca rogueca/imposter rogueca/rogueclient
86if ENABLE_OCSP_TEST
87x509_only_identities += authority/ocsp-responder authority/subca/ocsp-responder
88endif
89x509_identities = $(shared_identities) $(x509_only_identities)
90identities = $(shared_identities) $(x509_only_identities)
91# Append strings after ":=" to each identity to generate a list of
92# necessary files
93pgp_tokens = $(pgp_identities:=/cert.pgp) \
94        $(pgp_identities:=/secret.pgp)
95x509_keys = $(x509_identities:=/secret.key)
96x509_certs = $(x509_identities:=/x509.pem)
97x509_tokens = $(x509_certs) $(x509_keys)
98tokens = $(x509_tokens)
99if USE_MSVA
100tokens += $(pgp_tokens)
101endif
102
103if !DISABLE_FLOCK
104# flock command for write access to the authority keyring
105GPG_FLOCK = @FLOCK@ authority/lock
106endif
107
108include $(srcdir)/test_ca.mk
109
110# Test cases trying to create keys and certificates in parallel causes
111# race conditions. Ensure that all keys and certificates are generated
112# before tests get to run.
113#
114# NOTE: Once the support files have been generated, test cases can be
115# run with multiple jobs, but real parallelization would require
116# dynamic port assignments. At the moment, lock files ensure that only
117# one Apache instance (possibly plus a proxy back end instance) is
118# running at any time, so test cases actually have to wait for each
119# other - just not in any particular order.
120check_DATA = $(tokens) authority/server/crl.pem
121
122MOSTLYCLEANFILES += cache/* logs/* outputs/* authority/server/crl.pem
123
124cert_templates = authority/template.in authority/client/template.in \
125        authority/imposter/template.in authority/ocsp-responder/template \
126        authority/server/template.in \
127        authority/subca/template.in authority/subca/server/template.in \
128        authority/subca/ocsp-responder/template \
129        rogueca/template rogueca/imposter/template.in \
130        rogueca/rogueclient/template.in
131generated_templates = authority/template authority/client/template \
132        authority/imposter/template authority/server/template \
133        rogueca/imposter/template rogueca/rogueclient/template
134
135# Delete X.509 private keys on full clean. Note that unless you need
136# to generate fresh keys, the "mostlyclean" target should be
137# sufficient (see below).
138CLEANFILES = $(x509_keys)
139
140# Delete X.509 certificates and generated templates on "mostlyclean"
141# target. Certificates can be rebuilt without generating new key
142# pairs, and regenerating them makes it possible to change identities
143# (e.g. host names) without wasting time on new keys (which would
144# happen after "clean").
145MOSTLYCLEANFILES += $(x509_certs) $(generated_templates) $(identities:=/uid)
146
147
148# Delete PGP keyrings on "mostlyclean" target. They are created from
149# the X.509 private keys and certificates with an expiration time of
150# one day, so regenerating them is both fast and frequently
151# necessary.
152pgp_patterns = /*.pgp /*.pgp.raw /*.gpg /*.gpg~ /gpg.conf \
153        /*.kbx /*.kbx~ /S.gpg-agent /private-keys-v1.d/*
154MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(pgp_identities:=$(pat))) \
155        authority/lock authority/tofu.db
156# GnuPG random pool, no need to regenerate on every build
157CLEANFILES += authority/random_seed
158
159# GnuPG 2 starts gpg-agent processes per GNUPGHOME (one for every PGP
160# identity) while creating the PGP certificates. This target is called
161# by both "check-local" and "mostlyclean-local": The former because
162# agent processes are started while preparing for "check" and are no
163# longer needed afterwards, the latter to make sure they are gone
164# along with their certificates.
165stop-gnupg-agent:
166        for id in $(pgp_identities) $(msva_home); do \
167                GNUPGHOME=$$id/ gpgconf --kill gpg-agent || true; \
168        done
169
170check-local: stop-gnupg-agent
171
172# Delete lock files for test servers on "mostlyclean" target.
173MOSTLYCLEANFILES += *.lock
174
175# Build certificate chain files. Note that intermediate tokens must be
176# listed explicitly, or the dependency chain will be broken because
177# the higher level pattern matches, too.
178chain_tokens = authority/server/x509-chain.pem \
179        authority/subca/x509-chain.pem \
180        authority/subca/server/x509-chain.pem
181check_DATA += $(chain_tokens)
182MOSTLYCLEANFILES += $(chain_tokens) authority/x509-chain.pem
183
184# rule to build MSVA trust database
185if USE_MSVA
186msva_home = msva.gnupghome
187check_DATA += $(msva_home)/trustdb.gpg authority/client/uid
188MOSTLYCLEANFILES += $(foreach pat,$(pgp_patterns),$(msva_home)$(pat))
189$(msva_home)/trustdb.gpg: authority/minimal.pgp authority/client/cert.pgp
190        mkdir -p -m 0700 $(dir $@)
191        GNUPGHOME=$(dir $@) gpg --import < $<
192        printf "%s:6:\n" "$$(GNUPGHOME=authority/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
193        GNUPGHOME=$(dir $@) gpg --import < authority/client/cert.pgp
194        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
195endif
196
197if ENABLE_OCSP_TEST
198# rules to build OCSP database
199ocsp_index_data = authority/ocsp_index.txt authority/ocsp_index.txt.attr \
200        authority/subca/ocsp_index.txt authority/subca/ocsp_index.txt.attr
201check_DATA += $(ocsp_index_data)
202MOSTLYCLEANFILES += $(ocsp_index_data)
203
204# The "find" command builds a list of all certificates directly below
205# the CA that aren't for the ocsp-responder.
206%/ocsp_index.txt: $(x509_tokens) gen_ocsp_index
207        ./gen_ocsp_index $$(find $(*) -mindepth 2 -maxdepth 2 ! -path '*/ocsp-responder/*' -name x509.pem) > $@
208
209%/ocsp_index.txt.attr:
210        @mkdir -m 0700 -p $(dir $@)
211        echo "unique_subject = no" > $@
212endif
213
214# SoftHSM token, note that the SoftHSM 2 token is a directory
215SOFTHSM2_TOKEN = authority/server/softhsm2.db
216# included in mostlyclean-local below
217clean-softhsm2-db:
218        -rm -rf $(SOFTHSM2_TOKEN)
219
220if HAVE_SOFTHSM
221check_DATA += $(SOFTHSM2_TOKEN)
222endif HAVE_SOFTHSM
223
224check_DATA += make-test-dirs
225extra_dirs = logs cache outputs
226make-test-dirs:
227        mkdir -p $(extra_dirs)
228
229.PHONY: make-test-dirs clean-softhsm2-db stop-gnupg-agent
230
231
232if ENABLE_COVERAGE
233coverage_raw_dir = outputs/coverage
234coverage_out = coverage
235MOSTLYCLEANFILES += $(coverage_raw_dir)/*
236endif
237
238mostlyclean-local: clean-softhsm2-db stop-gnupg-agent
239        -rmdir $(pgp_identities:=/private-keys-v1.d) || true
240if USE_MSVA
241        -rmdir $(msva_home)/private-keys-v1.d || true
242endif
243
244# Delete test data directories, and wait for test services to
245# exit. The reason for the wait is that Apache instances may take some
246# time to exit and delete their PID files. Occasionally some PID files
247# where still around during "distcheck" runs by the time the target
248# checked if the build directory was really empty after "distclean",
249# breaking the build. Delaying "clean-local" until PID files are gone
250# avoids this issue, and the timeout will expose actually unclean
251# stops.
252clean-local:
253if ENABLE_COVERAGE
254        -rmdir $(coverage_raw_dir) || true
255        -rm -rf $(coverage_out) || true
256endif
257        -rmdir $(extra_dirs) || true
258if USE_MSVA
259        -rmdir $(msva_home) || true
260endif
261        wait=0; \
262        while ls *.pid && test "$$wait" -lt "@TEST_LOCK_WAIT@"; do \
263                wait=$$(($$wait + 1)); \
264                echo "waiting for test services to exit ($$wait seconds)"; \
265                sleep 1; \
266        done
267
268# Apache configuration and data files
269apache_data = base_apache.conf cgi_module.conf data/dump.cgi \
270        data/test.txt data/secret/mirror.cgi data/secret/test.txt \
271        mime.types proxy_mods.conf
272
273# Which modules are compiled into the Apache binary varies between
274# distributions. required-modules.py creates additional LoadModule
275# directives if needed.
276check_DATA += apache-conf/required-modules.conf
277MOSTLYCLEANFILES += apache-conf/required-modules.conf
278apache-conf/required-modules.conf: required-modules.py
279        APACHE2=@APACHE2@ AP_LIBEXECDIR=@AP_LIBEXECDIR@ $(PYTHON) $< >$@
280
281# Documentation for the test system
282test_doc = README.md sample_fail.yaml sample_test.yaml
283
284EXTRA_DIST += $(apache_data) $(cert_templates) $(shared_identities:=/uid.in) \
285        authority/server/crl.template $(test_doc)
286
287# Lockfile for the main Apache process
288test_lockfile = ./test.lock
289# Lockfile for the proxy backend Apache process (if any)
290backend_lockfile = ./backend.lock
291# Lockfile for the OCSP server Apache process (if any)
292ocsp_lockfile = ./ocsp.lock
293
294# port for the main Apache server
295TEST_PORT ?= 9932
296# port for MSVA in test cases that use it
297MSVA_PORT ?= 9933
298# port for TLS proxy backend server
299BACKEND_PORT ?= 9934
300# port for plain HTTP server
301TEST_HTTP_PORT ?= 9935
302# port for the OCSP responder
303if ENABLE_OCSP_TEST
304OCSP_PORT ?= 9936
305OCSP_URI_TEMPLATE = ocsp_uri = http://$(TEST_HOST):$(OCSP_PORT)/ocsp/
306endif
307# maximum time to wait for MSVA startup (milliseconds)
308TEST_SERVICE_MAX_WAIT ?= 10000
309# wait loop time for MSVA startup (milliseconds)
310TEST_SERVICE_WAIT ?= 400
311
312AM_TESTS_ENVIRONMENT = export APACHE2=@APACHE2@; \
313        export AP_LIBEXECDIR=@AP_LIBEXECDIR@; \
314        export PYTHON="@PYTHON@"; \
315        export TEST_LOCK_WAIT="@TEST_LOCK_WAIT@"; \
316        export TEST_IP="@TEST_IP@"; \
317        export TEST_HOST="@TEST_HOST@"; \
318        export TEST_PORT="$(TEST_PORT)"; \
319        export TEST_SERVICE_MAX_WAIT="$(TEST_SERVICE_MAX_WAIT)"; \
320        export TEST_SERVICE_WAIT="$(TEST_SERVICE_WAIT)"; \
321        export TEST_QUERY_TIMEOUT="@TEST_QUERY_TIMEOUT@"; \
322        export BACKEND_HOST="@TEST_HOST@"; \
323        export BACKEND_PORT="$(BACKEND_PORT)"; \
324        export TEST_HTTP_PORT="$(TEST_HTTP_PORT)"; \
325        export HTTP_CLI="@HTTP_CLI@";
326
327if USE_MSVA
328AM_TESTS_ENVIRONMENT += export MSVA_PORT="$(MSVA_PORT)";
329endif
330
331if HAVE_SOFTHSM
332AM_TESTS_ENVIRONMENT += export SOFTHSM="@SOFTHSM@"; \
333        export SOFTHSM_LIB="@SOFTHSM_LIB@";
334endif
335
336if ENABLE_OCSP_TEST
337AM_TESTS_ENVIRONMENT += export OPENSSL="@OPENSSL@"; \
338        export OCSP_PORT="$(OCSP_PORT)";
339endif
340
341if ENABLE_VALGRIND
342AM_TESTS_ENVIRONMENT += export VALGRIND="@VALGRIND@";
343endif
344
345if ENABLE_NETNS
346AM_TESTS_ENVIRONMENT += export UNSHARE="@UNSHARE@"; \
347        export USE_TEST_NAMESPACE=1;
348endif
349# Without flock tests must not run in parallel, and PID files are used
350# to prevent conflicts between server instances. Otherwise set lock
351# files for flock.
352if DISABLE_FLOCK
353AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
354        export BACKEND_LOCK="backend.pid"; \
355        export OCSP_LOCK="ocsp.pid";
356.NOTPARALLEL:
357else
358AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
359        export TEST_LOCK="$(test_lockfile)"; \
360        export BACKEND_LOCK="$(backend_lockfile)"; \
361        export OCSP_LOCK="$(ocsp_lockfile)";
362endif
363
364if ENABLE_COVERAGE
365AM_TESTS_ENVIRONMENT += export LLVM_PROFILE_FILE="$(coverage_raw_dir)/%p-%3m.profraw";
366
367outputs/coverage.profdata: $(coverage_raw_dir)/*.profraw
368        llvm-profdata merge -sparse $^ -o $@
369
370coverage/index.html: outputs/coverage.profdata
371        llvm-cov show ../src/.libs/mod_gnutls.so -instr-profile=$< -format=html $(srcdir)/../src/*.c $(srcdir)/../src/*.h $(srcdir)/../include/*.h -output-dir=$(dir $@)/
372
373coverage: coverage/index.html
374endif
375
376# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
377# you want to manually run an Apache instance with Valgrind using the
378# same configuration as a test case.
379show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
380show-test-env:
381        @echo "$${TEST_ENV}"
382
383# Build the test suite README as HTML if pandoc is available.
384if USE_PANDOC
385noinst_DATA = README.html
386MOSTLYCLEANFILES += $(noinst_DATA)
387%.html: %.md $(srcdir)/../doc/style.css
388        $(PANDOC) --css $(filter %.css,$^) --metadata pagetitle="$(<)" --self-contained -f markdown -o $@ $<
389endif
Note: See TracBrowser for help on using the repository browser.