Changeset 94430e6 in mod_gnutls

Timestamp:

Oct 10, 2017, 12:32:13 PM (2 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, master, upstream

Children:

e00d91a

Parents:

a09df8c

Message:

Test suite: Run a separate Apache instance for the OCSP responder

This change will be needed to cache OCSP responses on start (and
schedule) instead of when needed. An OCSP responder in the same Apache
instance won't be ready while the mod_gnutls post_config hook is
executing.

The changes to lock file handling included in this patch mean that
most parts of the test framework won't need to check which locking
method (if any) is used, they can just pass a lock file which is then
used for flock or PID file checks depending on ./configure results.

Files:

• configure.ac (modified) (1 diff)
• test/.gitignore (modified) (1 diff)
• test/Makefile.am (modified) (3 diffs)
• test/ocsp_server.conf.in (moved) (moved from test/ocsp_server.conf) (1 diff)
• test/proxy_backend.bash (modified) (3 diffs)
• test/test-26_redirect_HTTP_to_HTTPS.bash (modified) (1 diff)
• test/test-27_OCSP_server.bash (modified) (2 diffs)
• test/tests/27_OCSP_server/apache.conf (modified) (1 diff)
• test/tests/27_OCSP_server/ocsp.conf (added)
• test/tests/Makefile.am (modified) (1 diff)

configure.ac

@@ -292 +292 @@
 AC_CONFIG_FILES([Makefile src/Makefile test/Makefile test/tests/Makefile \
                         doc/Makefile doc/doxygen.conf include/mod_gnutls.h \
-                        test/proxy_backend.conf \
+                        test/proxy_backend.conf test/ocsp_server.conf \
                         test/apache-conf/listen.conf \
                         test/apache-conf/netns.conf])

test/.gitignore

@@ -1 +1 @@
 cache
 proxy_backend.conf
+ocsp_server.conf
 *~
 logs

test/Makefile.am

@@ -194 +194 @@
 apache_data = base_apache.conf cgi_module.conf data/dump.cgi data/ocsp.cgi \
         data/secret.txt data/test.txt ffdhe3072.pem mime.types \
-        ocsp_server.conf proxy_mods.conf
+        proxy_mods.conf
 
 EXTRA_DIST = $(apache_data) $(cert_templates) $(shared_identities:=.uid.in) \
@@ -204 +204 @@
 # Lockfile for the proxy backend Apache process (if any)
 backend_lockfile = ./backend.lock
+# Lockfile for the OCSP server Apache process (if any)
+ocsp_lockfile = ./ocsp.lock
 
 # port for the main Apache server
@@ -245 +247 @@
         export USE_TEST_NAMESPACE=1;
 endif
-# Without flock tests must not run in parallel. Otherwise set lock files.
+# Without flock tests must not run in parallel, and PID files are used
+# to prevent conflicts between server instances. Otherwise set lock
+# files for flock.
 if DISABLE_FLOCK
+AM_TESTS_ENVIRONMENT += export TEST_LOCK="apache2.pid"; \
+        export BACKEND_LOCK="backend.pid"; \
+        export OCSP_LOCK="ocsp.pid";
 .NOTPARALLEL:
 else
 AM_TESTS_ENVIRONMENT += export FLOCK="@FLOCK@"; \
         export TEST_LOCK="$(test_lockfile)"; \
-        export BACKEND_LOCK="$(backend_lockfile)";
+        export BACKEND_LOCK="$(backend_lockfile)"; \
+        export OCSP_LOCK="$(ocsp_lockfile)";
 endif
 

test/ocsp_server.conf.in

@@ +1 @@
+Define  OCSP_PORT       ${OCSP_PORT}
+Define  TEST_PORT       ${OCSP_PORT}
+
+Include ${srcdir}/base_apache.conf
+
 Include         ${srcdir}/cgi_module.conf
 LoadModule      env_module              ${AP_LIBEXECDIR}/mod_env.so
 LoadModule      rewrite_module          ${AP_LIBEXECDIR}/mod_rewrite.so
+
+# separate log and PID file
+CustomLog       logs/${TEST_NAME}.ocsp.access.log combined
+ErrorLog        logs/${TEST_NAME}.ocsp.error.log
+PidFile         ocsp@PID_AFFIX@.pid
+
 <IfDefine !OCSP_INDEX>
         # Default index file, define OCSP_INDEX in the test specific

test/proxy_backend.bash

@@ -10 +10 @@
     export BACKEND_PORT="9934"
 fi
-: ${BACKEND_PID:="backend.pid"}
 : ${srcdir:="."}
 : ${APACHE2:="apache2"}
@@ -21 +20 @@
     conf="${2}"
     action="${3}"
-    # needed only for start
+    # Needed only for start. The "lockfile" parameter is used as flock
+    # lock file or PID file to watch depending on whether FLOCK is
+    # set.
     lockfile="${4}"
 
@@ -39 +40 @@
                 else
                     echo "Locking disabled, using wait based on proxy PID file."
-                    wait_pid_gone "${BACKEND_PID}"
+                    wait_pid_gone "${lockfile}"
                 fi
                 ${flock_cmd} \

test/test-26_redirect_HTTP_to_HTTPS.bash

@@ -17 +17 @@
 
 # "Proxy backend" functions are used to start the only instance needed
-# here without "runtests". We have to override BACKEND_PID and
-# BACKEND_PORT to make them match what a runtests-based test would
-# use.
-export BACKEND_PID="apache2.pid"
+# here without "runtests". We have to override BACKEND_PORT to make it
+# match what a runtests-based test would use.
 export BACKEND_PORT="${TEST_PORT}"
 function stop_backend

test/test-27_OCSP_server.bash

@@ -4 +4 @@
 # Skip if OCSP tests are not enabled
 [ -n "${OCSP_PORT}" ] || exit 77
+
+: ${srcdir:="."}
+. ${srcdir}/common.bash
+netns_reexec ${@}
+
+. $(dirname ${0})/proxy_backend.bash
+
+testdir="${srcdir}/tests/27_OCSP_server"
+TEST_NAME="$(basename ${testdir})"
+
+backend_apache "${testdir}" "ocsp.conf" start "${OCSP_LOCK}"
 
 # trigger OCSP server test in the runtests script
@@ -12 +23 @@
 ${srcdir}/runtests t-27
 ret=${?}
+
+backend_apache "${testdir}" "ocsp.conf" stop
 
 echo "Checking if client actually got a stapled response."

test/tests/27_OCSP_server/apache.conf

@@ -1 @@
-Define  OCSP_PORT       ${OCSP_PORT}
-
 Include ${srcdir}/base_apache.conf
-Include ${srcdir}/ocsp_server.conf
-GnuTLSCache dbm cache/gnutls_cache
+GnuTLSCache dbm cache/gnutls_cache_${TEST_NAME}
 
 <VirtualHost _default_:${TEST_PORT}>

test/tests/Makefile.am

@@ -27 +27 @@
         25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
         26_redirect_HTTP_to_HTTPS/apache.conf \
-        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/output
+        27_OCSP_server/apache.conf 27_OCSP_server/gnutls-cli.args 27_OCSP_server/input 27_OCSP_server/ocsp.conf 27_OCSP_server/output