source: mod_gnutls/test/Makefile.am @ cf4e708

debian/masterdebian/stretch-backportsjessie-backportsproxy-ticketupstream
Last change on this file since cf4e708 was cf4e708, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Run tests in separate network namespaces

Creating a network namespace for each test avoids port conflicts so
Apache instances can run in parallel, and also isolates the tests from
the host system.

Test namespaces are automatically used if the "unshare" command is
available, and can be disabled by passing "--disable-test-namespaces"
to ./configure.

  • Property mode set to 100644
File size: 6.2 KB
Line 
1SUBDIRS = tests
2
3dist_check_SCRIPTS = test-00_basic.bash \
4        test-01_serverwide_priorities.bash \
5        test-02_cache_in_vhost.bash \
6        test-03_cachetimeout_in_vhost.bash \
7        test-04_basic_nosni.bash \
8        test-05_mismatched-priorities.bash \
9        test-06_verify_sni_a.bash \
10        test-07_verify_sni_b.bash \
11        test-08_verify_no_sni_fallback_to_first_vhost.bash \
12        test-09_verify_no_sni_fails_with_wrong_order.bash \
13        test-10_basic_client_verification.bash \
14        test-11_basic_client_verification_fail.bash \
15        test-12_cgi_variables.bash \
16        test-13_cgi_variables_no_client_cert.bash \
17        test-14_basic_openpgp.bash
18if USE_MSVA
19dist_check_SCRIPTS += test-15_basic_msva.bash
20endif
21dist_check_SCRIPTS += test-16_view-status.bash \
22        test-17_cgi_vars_large_cert.bash \
23        test-18_client_verification_wrong_cert.bash \
24        test-19_TLS_reverse_proxy.bash \
25        test-20_TLS_reverse_proxy_client_auth.bash \
26        test-21_TLS_reverse_proxy_wrong_cert.bash \
27        test-22_TLS_reverse_proxy_crl_revoke.bash \
28        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
29        test-24_pkcs11_cert.bash
30
31TESTS = $(dist_check_SCRIPTS)
32
33# Identities in the miniature CA, server, and client environment for
34# the test suite
35identities = server authority client imposter rogueca
36# Append strings after ":=" to each identity to generate a list of
37# necessary files
38pgp_tokens = $(identities:=/secring.gpg) $(identities:=/cert.pgp) \
39        $(identities:=/secret.pgp)
40x509_keys = $(identities:=/secret.key)
41x509_certs = $(identities:=/x509.pem)
42x509_tokens = $(x509_certs) $(x509_keys)
43tokens = $(x509_tokens) $(pgp_tokens)
44
45include $(srcdir)/test_ca.mk
46
47# Test cases trying to create keys and certificates in parallel causes
48# race conditions. Ensure that all keys and certificates are generated
49# before tests get to run.
50#
51# NOTE: Once the support files have been generated, test cases can be
52# run with multiple jobs, but real parallelization would require
53# dynamic port assignments. At the moment, lock files ensure that only
54# one Apache instance (possibly plus a proxy back end instance) is
55# running at any time, so test cases actually have to wait for each
56# other - just not in any particular order.
57check_DATA = $(tokens) server/crl.pem
58
59MOSTLYCLEANFILES = cache/* logs/* outputs/* server/crl.pem
60
61cert_templates = authority.template.in client.template.in \
62        imposter.template.in rogueca.template server.template.in
63generated_templates = authority.template client.template \
64        imposter.template server.template
65
66# Delete X.509 private keys on full clean. Note that unless you need
67# to generate fresh keys, the "mostlyclean" target should be
68# sufficient (see below).
69CLEANFILES = $(x509_keys)
70
71# Delete X.509 certificates and generated templates on "mostlyclean"
72# target. Certificates can be rebuilt without generating new key
73# pairs, and regenerating them makes it possible to change identities
74# (e.g. host names) without wasting entropy on new keys (which would
75# happen after "clean").
76MOSTLYCLEANFILES += */x509.pem $(generated_templates) *.uid
77
78
79# Delete PGP keyrings on "mostlyclean" target. They are created from
80# the X.509 private keys and certificates with an expiration time of
81# one day, so regenerating them is both fast and frequently
82# necessary.
83MOSTLYCLEANFILES += */*.pgp */*.gpg */*.gpg~ */gpg.conf authority/lock
84# GnuPG random pool, no need to regenerate on every build
85CLEANFILES += authority/random_seed
86
87# Delete lock files for test servers on "mostlyclean" target.
88MOSTLYCLEANFILES += *.lock
89
90# rule to build MSVA trust database
91if USE_MSVA
92msva_home = msva.gnupghome
93check_DATA += $(msva_home)/trustdb.gpg client.uid
94MOSTLYCLEANFILES += $(msva_home)/trustdb.gpg
95$(msva_home)/trustdb.gpg: authority/minimal.pgp client/cert.pgp
96        mkdir -p -m 0700 $(dir $@)
97        GNUPGHOME=$(dir $@) gpg --import < $<
98        printf "%s:6:\n" "$$(GNUPGHOME=authority gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" | GNUPGHOME=$(dir $@) gpg --import-ownertrust
99        GNUPGHOME=$(dir $@) gpg --import < client/cert.pgp
100        printf "keyserver does-not-exist.example\n" > $(msva_home)/gpg.conf
101endif
102
103# SoftHSM files
104check_DATA += server/softhsm.db
105MOSTLYCLEANFILES += tests/24_pkcs11_cert/softhsm.conf server/softhsm.db
106
107
108check_DATA += make-test-dirs
109extra_dirs = logs cache outputs
110make-test-dirs:
111        mkdir -p $(extra_dirs)
112.PHONY: make-test-dirs
113
114clean-local:
115        -rmdir $(identities) || true
116        -rmdir $(extra_dirs) || true
117if USE_MSVA
118        -rmdir $(msva_home) || true
119endif
120
121# Apache configuration and data files
122apache_data = base_apache.conf cgi_module.conf data/* mime.types proxy_mods.conf
123
124EXTRA_DIST = $(apache_data) $(cert_templates) *.uid.in common.bash \
125        proxy_backend.bash runtests server-crl.template server-softhsm.conf \
126        softhsm.bash
127
128# Lockfile for the main Apache process
129test_lockfile = ./test.lock
130# Lockfile for the proxy backend Apache process (if any)
131backend_lockfile = ./backend.lock
132# Maximum wait time in seconds for flock to aquire instance lock
133# files, or Apache to remove its PID file
134lock_wait = 30
135
136# port for the main Apache server
137TEST_PORT ?= 9932
138# port for MSVA in test cases that use it
139MSVA_PORT ?= 9933
140# maximum time to wait for MSVA startup (milliseconds)
141TEST_MSVA_MAX_WAIT ?= 10000
142# wait loop time for MSVA startup (milliseconds)
143TEST_MSVA_WAIT ?= 400
144# seconds for the HTTP request to be sent and responded to
145TEST_QUERY_DELAY ?= 30
146
147AM_TESTS_ENVIRONMENT = export APACHE2=$(APACHE2); \
148        export AP_LIBEXECDIR=$(AP_LIBEXECDIR); \
149        export TEST_LOCK_WAIT="$(lock_wait)"; \
150        export TEST_HOST="$(TEST_HOST)"; \
151        export TEST_PORT="$(TEST_PORT)"; \
152        export MSVA_PORT="$(MSVA_PORT)"; \
153        export TEST_MSVA_MAX_WAIT="$(TEST_MSVA_MAX_WAIT)"; \
154        export TEST_MSVA_WAIT="$(TEST_MSVA_WAIT)"; \
155        export TEST_QUERY_DELAY="$(TEST_QUERY_DELAY)"; \
156        export BACKEND_HOST="$(TEST_HOST)";
157
158if ENABLE_NETNS
159AM_TESTS_ENVIRONMENT += export UNSHARE="$(UNSHARE)"; \
160        export USE_TEST_NAMESPACE=1;
161endif
162# Without flock tests must not run in parallel. Otherwise set lock files.
163if DISABLE_FLOCK
164.NOTPARALLEL:
165else
166AM_TESTS_ENVIRONMENT += export FLOCK="$(FLOCK)"; \
167        export TEST_LOCK="$(test_lockfile)"; \
168        export BACKEND_LOCK="$(backend_lockfile)";
169endif
170
171# Echo AM_TESTS_ENVIRONMENT. This can be useful for debugging, e.g. if
172# you want to manually run an Apache instance with Valgrind using the
173# same configuration as a test case.
174show-test-env: export TEST_ENV=$(AM_TESTS_ENVIRONMENT)
175show-test-env:
176        @echo "$${TEST_ENV}"
Note: See TracBrowser for help on using the repository browser.